The mobile device INVESTIGATOR'S TOOLBOX

by Christa Miller On Nov 1, 2008

These days, virtually every major criminal activity leaves evidence — images, text messages, call records and more — on mobile devices. Yet for the investigator who knows only the basics or less about how to recover this evidence, building a strong case can be difficult — especially after the evidence has been deleted.

State or regional digital forensics labs are frequently overworked and understaffed, while many agencies lack the resources for the training and equipment to support an in-house expert. A good compromise is to train non-expert forensic analysts or investigators to recover essential evidence. However, those who wish to take part in more complex mobile forensics need to know first that mobile forensics is as complicated as computer forensics — and has many of its own challenges. Many tools exist to aid data recovery efforts, but they demand plenty of training and educational support.

Cost challenges

Cost can be a significant challenge to smaller agencies, but SEARCH computer crime training specialist Keith Daniels says the investment in a tool like Cellebrite UFED (See "Data recovery tools" on Page 30) can be well worth it. Not only does it have unparalleled support, it's also easy to learn and use.

Cellebrite works quickly enough (15 to 20 minutes) to be used in emergencies, such as with missing persons. "It works so quickly on the street," says Daniels. "It can be a life-saving device." He finds it so useful that he counsels investigators in agencies with limited resources to pool funds with other investigative units to buy it.

If this is not possible, detectives are encouraged to find out whether they can join with a local or regional task force. In California, five task forces are available. "Investigators send phones to us for help," says Brian Farnsworth, an investigator with the Sacramento Valley Hi-Tech Crimes Task Force. "If they find they're getting inundated by mobile evidence, they can join the task force and have access to our resources."

However, not all task forces have the same tools. "In Sacramento Valley, we had to buy most of what's available because we had so much coming in," says Farnsworth. Investigators with no task force at their disposal can apply for grants, such as from the federal Internet Crimes Against Children (ICAC) program, to start one of their own.

Investigative challenges

Investigators who want to move from simple data recovery toward mobile forensics face another challenge: the lack of manufacturing standards, a result of competition. Kipp Loving, a member of the Tracy (California) Police Department as well as the Sacramento Valley task force and a California POST instructor on high-tech crimes, explains that even though consumer demand has driven manufacturers to design their phones more consistently, file structures, data storage, pin connectors and cables vary from manufacturer to manufacturer and even model to model. This makes it impossible for any forensic company to make a tool that recovers data from all phones on the market. In other words, Loving says, "Obtaining the data is easy; it's getting the phone to talk to the forensic computer that's the hard part."

Investigators find that many products exist — and often must be used in conjunction with one another. "Some only extract the phone book; others extract images but not call logs," says Loving. Farnsworth adds that some tools may appear to be the better investment because they claim to support 1,500 phones, but in reality, they can obtain only the devices' phonebook. Tools that support just a fraction of that number, however, often capture all data off their supported devices.

So how does an investigator know which tools are best? Richard Gilleland, a detective with the Sacramento Police Department, says finding out is often a matter of trial and error. He keeps a spreadsheet of what product works with what phone; reseller Teel Technologies, based in Connecticut, runs a secure database at www.MobileForensicsCentral.com that tells investigators the best tools to use for specific phones.

Furthermore, Gilleland adds, what is best for one investigator may not help another. That depends on the actual phones being submitted to the lab for analysis. One well-known tool he tested supported only 10 of the models coming through the Sacramento lab. He notes further that what works on one model may not support a later, updated release of the same model.

The global divide

Many tools — both cheaper and professional forensic applications — originated overseas. "You don't have to reinvent the [investigative] wheel," Loving says, "but you can't stay within U.S. bounds. Cell phones weren't born and bred here, so most of the tools that extract information from them aren't, either." Companies overseas have been seeking to break into the U.S. market, so problems common to other software programs — like language translation — are minimal.

However, foreign software remains limited. That's because in Europe, cell phones use only the Global System for Mobile Communications (GSM). Here, carriers use GSM along with Code Division Multiple Access (CDMA), Integrated Digital Enhanced Network (iDEN), and others. So, while European and Asian phones and the tools used to extract their data are more sophisticated than in the United States, forensic tools from those countries can't be universally applied here. For instance, Logicube's CellDek, according to Mark Menz, vice president of digital forensic and electronic discovery firm MJ Menz & Associates, works well with European and Middle Eastern environments — but not as well in the United States.

Daniels cautions that some foreign data recovery tools are far more complex than U.S.-made tools. "Some that are coming out from the United Kingdom are FTK- or EnCase-level: they require specialized training. They aren't for first responders." Farnsworth adds that with tools that originated in countries like Russia, investigators may find it difficult to obtain technical support — not only because of the language barrier, but also because of the time difference.

Market-driven limitations

As mobile device data recovery becomes more important to criminal investigation, the challenge to find the best tools for the job will increase. "Cell data recovery is now where computer forensics was in 1995," Daniels explains. "This is a new market, and everyone is jumping into it, trying to become the next FTK or EnCase."

Farnsworth notes that as more companies become aware of just how much is involved in mobile device data recovery and forensics, the more they allow their products to be bought and repackaged by established digital forensics firms. Yet the newer products, such as AccessData's Mobile Phone Examiner, support few phones because they are not yet established.

Cheaper tools exist, but Farnsworth and Gilleland both prefer not to discuss them. That's because the increased demand from law enforcement would create a new market, which programmers may not have recognized when they created their tools. In turn, the tools' prices would rise. "Cellebrite went from costing about $600 to $4,000 because of the word 'forensic,' " Gilleland explains. Susteen's Secure View for Forensics encountered the same. Both pieces of equipment were originally made to support phone upgrades for consumers.

BitPim is one of the rare programs whose creator left it open source, rather than license and sell it. As useful as that tool is, however, open source software carries its own risks. In particular: anyone, including criminals, can access and use the same code to program countermeasure software.

Finally, Farnsworth says device manufacturers are becoming wise to the kinds of tricks that allow users, including police, to access device information via "backdoor." "They don't want you in the code because it's proprietary," he says. "They're developing better ways to hide the technology; eventually you may have to physically unsolder the memory chip to recover data from it."

Legal concerns

Many of the cheaper tools remain forensically unsound — which, Farnsworth cautions, makes it easier for the defense to challenge in court. "They'll do this especially if they have nothing else, because you can't guarantee you made no changes to the device," he says. "However, they have to make the jury believe that the investigator planted the evidence on the device, and that's unlikely."

SEARCH training tells investigators that its task is to recover (or copy) data that's on the phone — not to acquire it. "Data recovery is not held to the same legal standard as computer forensics," explains Daniels, "so that's why it's important to make the distinction."

Farnsworth adds that currently, most attorneys remain unaware of these tools and their capabilities — but will become more knowledgeable as more mobile devices are introduced into evidence. It will thus be incumbent on manufacturers to make their tools forensically sound. "Detectives called on to testify in court aren't engineers; they can't always verify whether the technology they used is forensically sound," Farnsworth says. "Therefore the prosecution would have to subpoena the manufacturer."

Learning the ropes

Farnsworth says that some easy-to-use tools create an expectation that all tools should be as easy. He uses Cellebrite as an example: "It's very logical — it gets standard data and even some deleted information from the device's memory in seconds. What it will not do is get passwords." For those, investigators must turn to a program like BitPim, but they need to know how to use it. "Even something as useful as BitPim writes to the phone, so you have to be careful not to destroy the evidence," says Gilleland.

Not-made-for-forensics tools are only part of the problem. Another is a lack of technical troubleshooting knowledge. "The problem is often not the tool — it's Windows," Farnsworth explains. "The cable doesn't send data to the forensic computer because Windows can't see it. You have to know how to change the port, or the connection speed, or whatever will get Windows to see the device you're working with." SEARCH makes available a troubleshooting guide at www.search.org/files/pdf.

Investigators involved in mobile data recovery may start by using the easier tools. "But to get good at it," says Farnsworth, "you have to learn the business." Daniels says the best way to do this is to attend training. SEARCH provides instruction all over the country; its four-day training — which is available via grant funding, or for a $1,500 fee — allows investigators to get a feel for all tools currently on the market, using 15-20 phones each.

"An officer can join training associations for free and pay for training they offer," says Michael Menz, a Sacramento County Sheriff's Department detective assigned to the Sacramento Valley Hi-Tech Crimes Task Force, who in 2006 served as president of the International High Technology Crime Investigation Association (www.htcia.org). "[The HTCIA] is an association of law enforcement and private enterprise with the goal of training investigators for high technology crime investigations."

Another way to learn is through Internet communities. The High Tech Crime Consortium (www.hightechcrimecops.org) provides criminal investigators access to a controlled listserv and a secure Web application portal. The HTCIA also offers a restricted listserv; Loving's own law-enforcement-only list includes detailed lists of many different resources, including search warrant samples. The U.K.-based Phone-Forensics.com is a secure bulletin board for investigators from all over the world.

Farnsworth also recommends HowardForums Mobile Phone Community & Resource. Although not specifically meant for law enforcement, this community is home to individuals who are some of the savviest when it comes to mobile devices. "If you need to find a way to reveal a password, you log on and ask," he says. "Someone always knows a backdoor, the sequence of buttons you need to press to get to that point." Investigators must take care not to mention case specifics or even that they're police, but can often learn rapidly about devices this way. Finally, Web sites like PhoneScoop.com and Mobiledia.com can be excellent sources about existing and upcoming mobile technologies.

In addition to training, investigators should develop best practices for their own data recovery efforts. SEARCH has developed a series of five worksheets. Available at www.search.org/files/pdf/SeizedHandheldDeviceWorksheets.pdf, the worksheets allow investigators to identify field-seized devices, analyze those devices along with SIM cards, control the analysis, document which tools they used, and make processing requests. "The forms create a standard process for investigators to follow when they're recovering data," says Daniels.

Investigators needn't shy from developing their skills in mobile forensics. The field is complicated with many issues in play, but the community is tightly knit, and a wealth of information exists for those willing to put the time into learning it.

Current and future technology

Mobile technology has advanced to the point where a device the size of a deck of cards — the video iPod — can store up to 160 GB of data. That's comparable to the amount of storage on many computers' hard drives.

Gilleland expects that investigators' jobs will become increasingly complicated as phones further evolve into mini-computers. "More phones are Internet-capable," he explains, "especially now that the iPhone has been released. That means that to track criminal activity, our examinations will more closely resemble computer forensics." Mark Menz, MJ Menz & Associates, adds that many newer phones have built-in 10-, 20-, or 30-GB Flash hard drives that analysts will be imaging, much like they do computer hard drives. Yet to figure out how the phones' proprietary operating systems work with those drives will be the hard part for forensic software programmers, who already must reverse engineer their tools.

Another evolving capability is GPS. Many phones now store data that investigators can use to track suspect movements. For those that don't, carriers can sometimes step in. Farnsworth explains, "You can call Sprint, for example, with a court order to push an application to the phone to track it. Most companies have this capability, but don't advertise it because of privacy issues." Richard Gilleland, a detective with the Sacramento (California) Police Department, adds that once you have the data, "Paraben and some cheaper tools let you map coordinates in Google Earth. It's extracting the data that's the hard part."

Michael Menz says cell phone service is becoming increasingly universal. "In the near future we will see integrated glasses (or sunglasses) to the cell phone, which is really a portable computer. Plus, the cell phone will be on [a person's] hip [but also integrated with] the car and home phones. The service will be sent to the unit you are closest to." Skype Internet telephony, for instance, transfers a picture phone call to a subscriber's home or cell phone if he doesn't answer the Skype line. "So when a search warrant is done," Menz adds, "it has to be for the cell phone, car phone and home phone."

Both Skype and Vonage work with another pioneer technology: the USB Internet Phone. "Plug [it] into a computer with Internet access, you have your phone," says Menz, pointing out that this will make suspect location virtually impossible. Daniels agrees, saying "porting" is the main issue. Anyone who wants to keep the phone number from their original carrier can transfer it; to verify whether a number has been ported or not, investigators should use Neustar.biz rather than the carrier. Search warrant service will also become increasingly difficult, Menz continues, since a World Trade Organization agreement made it possible to subscribe to a cell service anywhere in the world.

Loving says some carriers allow remote wiping of some devices (such as BlackBerry) in the event that a phone is lost or stolen. "It's important for investigators to identify and contact the carrier to lock down the user account so as not to allow that feature to be enabled," he says. Most carriers will respond to a department letterhead followed up by a court order.

Farnsworth says Google is said to be developing an open source phone called Android, which Daniels says is expected to exceed iPhone's capabilities in performance, durability, and Internet surfing ability. That means its programming will be readily available for anyone else to develop supplemental software, including data recovery tools. "There are also rumors about some open source tools that will work with Linux," he says. "If it happens that all phones end up using one operating system, cell forensics will become like computer forensics."

Data recovery tools

SEARCH provides a downloadable document at www.search.org/files/pdf/CellphoneInvestToolkit-0508.pdf. "Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications," written by SEARCH computer crime training specialists Keith Daniels and Lauren Wagner, describe pieces of hardware and software available to law enforcement.

Hardware comes at a range of prices. One of the medium-priced tools, the Cellebrite Universal Forensic Extraction Device (UFED) is indispensable, according to Daniels, because it supports about 95 percent of the cell phones currently on the market. Other law enforcement-specific hardware includes Susteen Secure View for Forensics, which is part of a kit with SecureView software and other equipment; and Paraben's similar Device Seizure ToolBox. Guidance Software's Neutrino integrates with the company's EnCase software so investigators can analyze both mobile and computer evidence.

In addition to the software that comes with the hardware, many investigators round out their arsenal with free or low-cost tools:

The investigator also can take video of the evidence. Daniels recommends Windows MovieMaker software, FireWire or USB cable, and a digital videocamera mounted on a desk tripod. "It's much faster than taking still images of each screen, and you can pause the video to get stills," he explains.

Specialized software exists to make this task easier (though Gilleland doesn't believe it's strictly necessary). For example, Fernico's ZRT (Zippy Reporting Tool, which comes with a Canon A640 10-megapixel camera and a flexible arm with a desk clamp) has a useful reporting tool, which is the product's main feature. Its more expensive ZRTV captures camera video and audio of a crime taking place. "You plug ZRT into the forensic computer and set it to pause every second or two to take screenshots. It's fully automated," Daniels says. Project-a-Phone can accomplish much the same thing.

Some phone manufacturers themselves offer ways to recover data. "When you can't use any of the other tools, go to the manufacturer Web site," Daniels says. "Motorola and BlackBerry make free tools." Gilleland says Motorola PhoneTools, which supports only that company's phones, can recover phonebooks, images and video, though not SMS messages. These kinds of software should be used only as a last resort — they are not forensically sound, and are not commonly used for criminal investigations.

Other useful tools can be found on the Internet. Loving explains that phones are sometimes equipped with third-party GPS software such as TeleNav or AccuTracking. Marketed to businesses for years, he says, this kind of technology is beginning to be targeted toward parents. "It's simple," he says. "It allows a parent not only to track their child utilizing GPS and cell phone technology, but also allows them to be proactive in looking at historical data to see where their child has been, what speeds he or she may have traveled throughout the day, and to set up geo-fences to be alerted when a child exits or enters a certain area." All of these records are based on the company's servers, not on the phone, so investigators can get a court order to obtain them.

Another resource is Web-based translation tools for SMS messages, which can be hard to decipher. TransL8it! converts a text message to plain English (and back again); many investigators have found this useful when interpreting messages for juries. Lingo2Word.com can help translate many acronyms found on the Internet and in SMS messages.

Finally, SEARCH makes available a free toolbar that is a kind of one-stop shop for investigative tools. Described at www.search.org/files/pdf/ToolbarFirefox-0508.pdf, the regularly and automatically updated toolbar (downloadable from http://searchinvestigative.our toolbar.com/) works as an add-on to Mozilla Firefox and as an executable program with Microsoft Internet Explorer. Its buttons and drop-down menus provide investigators with pre-configured links to sites that provide information on phones, people, ISPs, and so forth; the links are for wireless and online investigations as well as cell phone examinations.